Skip to content

Instantly share code, notes, and snippets.

@chrisdchristo
Created December 28, 2013 13:49
Show Gist options
  • Save chrisdchristo/8159692 to your computer and use it in GitHub Desktop.
Save chrisdchristo/8159692 to your computer and use it in GitHub Desktop.
101: OpenLDAP

101: OpenLDAP

LDAP runs on port 389

LDAPS runs on port 636

Ubuntu Guide: https://help.ubuntu.com/12.04/serverguide/openldap-server.html

Debian Guide: http://wiki.debian.org/LDAP/OpenLDAPSetup

sudo apt-get install --reinstall slapd ldap-utils ldapscripts libslp1

Re-run the config:

sudo dpkg-reconfigure -plow slapd
Domain Name: mydomain.com
Organization: mydomain Ltd.
Enter random password twice
No to LDAPv2
Use HDB database

You should now have a /etc/ldap/slapd.conf file as it is the old method of configuring ldap.

We will use the slapd-config/RTC(Real-Time-Configuration)/cn##config method. In this way ldap can be configured without restarting the service.

The DITs(Directory Information Trees) or in other words the ldap databases are stored in /etc/ldap/slapd.d/.

Lets check that we have our dn's in our tree:

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b dc##mydomain,dc##com dn

Add the users directory

To add to the ldap server we can create a script in the ldif format and then run an ldap command to execute the script. The script consists of the data we would like added to ldap.

So lets open up a new file:

sudo nano ~/add_content.ldif

and add the following contents:

dn: ou##users,dc##mydomain,dc##com
objectClass: organizationalUnit
ou: users

Finally execute the ldap command on this script:

sudo ldapadd -x -D cn##admin,dc##mydomain,dc##com -W -f ~/add_content.ldif

Check that its in there:

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b dc##mydomain,dc##com dn

Add the machines directory

To add to the ldap server we can create a script in the ldif format and then run an ldap command to execute the script. The script consists of the data we would like added to ldap.

So lets open up a new file:

sudo nano ~/add_content.ldif

and add the following contents:

dn: ou##machines,dc##mydomain,dc##com
objectClass: organizationalUnit
ou: machines

Finally execute the ldap command on this script:

sudo ldapadd -x -D cn##admin,dc##mydomain,dc##com -W -f ~/add_content.ldif

Check that its in there:

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b dc##mydomain,dc##com dn

Add the groups directory

Do the same as above for groups:

So lets open up a new file:

sudo nano ~/add_content.ldif

and add the following contents:

dn: ou##groups,dc##mydomain,dc##com
objectClass: organizationalUnit
ou: groups

Finally execute the ldap command on this script:

sudo ldapadd -x -D cn##admin,dc##mydomain,dc##com -W -f ~/add_content.ldif

Add a user to users

Create a new ldif script:

sudo nano ~/add_content.ldif

and add the following (make sure you change the password):

dn: uid##chris,ou##users,dc##mydomain,dc##com
uid: chris
cn: chris
sn: christo
uidNumber: 10000
gidNumber: 6000
userPassword: chrisldap
loginShell: /bin/bash
homeDirectory: /home/chris
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount

Execute it:

sudo ldapadd -x -D cn##admin,dc##mydomain,dc##com -W -f ~/add_content.ldif

Add the ldap_admin group

dn: cn##ldap_admin,ou##groups,dc##mydomain,dc##com
objectClass: posixGroup
cn: ldap_admin
gidNumber: 5000

Removing OpenLDAP

sudo apt-get remove --purge slapd ldap-utils libslp1
sudo apt-get autoremove
sudo apt-get update
sudo apt-get upgrade
sudo rm -rf /etc/ldap/
sudo rm -rf /var/lib/ldap
sudo rm -rf /var/lib/slapd
sudo rm -rf /var/backups/*.ldapdb

OpenLDAP scripts package config

Open up ldapscripts config file:

sudo nano /etc/ldapscripts/ldapscripts.conf

and insert the following:

SERVER##"ldap://n1.mydomain.com"
SUFFIX##"dc##mydomain,dc##com" # Global suffix
GSUFFIX##"ou##groups"        # Groups ou (just under $SUFFIX)
USUFFIX##"ou##users"         # Users ou (just under $SUFFIX)
MSUFFIX##"ou##machines"      # Machines ou (just under $SUFFIX)

SASLAUTH##""
BINDDN##"cn##admin,dc##mydomain,dc##com"
BINDPWDFILE##"/etc/ldapscripts/ldapscripts.passwd"

GIDSTART##"10000" # Group ID
UIDSTART##"10000" # User ID
MIDSTART##"20000" # Machine ID

GCLASS##"posixGroup"   # Leave "posixGroup" here if not sure !
USHELL##"/bin/bash"
UHOMES##"/home/%u"     # You may use %u for username here
CREATEHOMES##"yes"      # Create home directories and set rights ?

PASSWORDGEN##"pwgen"
RECORDPASSWORDS##"no"
PASSWORDFILE##"/var/log/ldapscripts_passwd.log"

LOGFILE##"/var/log/ldapscripts.log"

LDAPSEARCHBIN##"/usr/bin/ldapsearch"
LDAPADDBIN##"/usr/bin/ldapadd"
LDAPDELETEBIN##"/usr/bin/ldapdelete"
LDAPMODIFYBIN##"/usr/bin/ldapmodify"
LDAPMODRDNBIN##"/usr/bin/ldapmodrdn"
LDAPPASSWDBIN##"/usr/bin/ldappasswd"

GETENTPWCMD##""
GETENTGRCMD##""

GTEMPLATE##""
UTEMPLATE##""
MTEMPLATE##""

Now, create the ldapscripts.passwd file to allow ldapscripts access to the director. Change the secret to your ldap admin password.

sudo sh -c "echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd"
sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd

This might not work if you have special characters in your password. You can open the file manually and copy the password there, however text editors add end of line characters! To avoid this open up vi and tell it to not add the end of line character:

sudo vi /etc/ldapscripts/ldapscripts.passwd
 ESC
:set noendofline binary
:wq

Easy Commands

add a user (and assign primary group) -> sudo ldapadduser chris admin

delete a user -> sudo ldapdeleteuser chris

change a user's password -> sudo ldapsetpasswd chris

add a group -> sudo ldapaddgroup admin

delete group -> sudo ldapdeletegroup admin

add user to group -> sudo ldapaddusertogroup chris admin

remove user from group -> sudo ldapdeleteuserfromgroup chris admin

add machine -> ldapaddmachine openssl

delete machine -> ldapdeletemachine

You can check the log here:

tail -f /var/log/ldapscripts.log

OpenLDAP SSL

Open up the slapd config file:

sudo nano /etc/default/slapd

and uncomment this line (and comment is complement):

SLAPD_SERVICES##"ldap://127.0.0.1:389/ ldaps:/// ldapi:///"

No we need to modify the ldap config. Open up a new ldif script:

sudo nano ~/modify.ldif

and add the following:

dn: cn##config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/custom/certs/official-www-mydomain-com-ad-inter.crt

add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/custom/keys/official-www-mydomain-com.key

add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/custom/certs/official-www-mydomain-com.crt

Execute it via the ldapmodify command:

sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ~/modify.ldif

Add openldap user to ssl-cert group

Add then openldap user to the ssl-cert group so it can access the ssl files.

sudo usermod -a -G ssl-cert openldap
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment